Re: [PATCH] kexec: Disable at runtime if the kernel enforces modulesigning

From: Matthew Garrett
Date: Fri Aug 09 2013 - 12:11:30 EST

On Fri, 2013-08-09 at 11:35 -0400, Vivek Goyal wrote:

> Also what about all the other patches you had for secureboot where you
> closed down all the paths where root could write to kernel memory. So
> if you want to protect sig_enforce boolean, then you need to close down
> all these paths irrespective of secureboot?

Fair point. The bar is slightly higher there, but yes, it seems
reasonable to say that enforcing module signing (and, come to think of
it, modules_disabled) should also lock down the other obvious mechanisms
for root to get code into the kernel.

Matthew Garrett | mjg59@xxxxxxxxxxxxx
N‹§²æìr¸›yúèšØb²X¬¶ÇvØ^–)Þ{.nÇ+‰·¥Š{±‘êçzX§¶›¡Ü}©ž²ÆzÚ&j:+v‰¨¾«‘êçzZ+€Ê+zf£¢·hšˆ§~†­†Ûiÿûàz¹®w¥¢¸?™¨è­Ú&¢)ßf”ù^jÇy§m…á@A«a¶Úÿ 0¶ìh®å’i